05 Feb 2008

Productivity vs Security

This is a copy of a comment I posted on Rich Mogul's website. I thought that my answer clearly shows my present way of thinking about Information Security and the value thereof. I have edited my answer for this Blog Post but the essence is the same.

Rich was answering a question of Scott who assumed that as productivity goes up security goes down and vice versa and at some point there must be a sweet spot where you get the most productivity at the least cost to security. Scott uses the word "obviously"

Your (Rich and Scott) assumption is that all security controls actually decrease productivity. This may be the case in an example where passwords are used versus not used. But information security may actually increase productivity eg where spam is blocked and the user does not need to spend hours sorting email. Alternatively if browsing is restricted and time-wasting sites like facebook are blocked then productivity goes up.

My big security theory (which I wish I could put into practice) is that once companies achieve a security zen state (sorry if that is copyright) when security becomes part of the culture and is built into all systems then it actually increases productivity in a way that could actually help the bottom line.

In response to the original poster - if Information Security is at odds with the processes of the business then either the process is wrong or the information security is wrong.

If you tack on security after the fact your thinking will always be wrong.

Example:
A sales-rep is always on the road. Because he lives in the North part of town that is where his customers are. He has a list of customers and their details in his laptop. He also has their buying trends and banking details so he can confirm payment. The ISO sees all of this and almost has a heart attack. He implements a rule that the sales person can download only the clients that he is going to see that day onto his laptop and it must be done over a VPN. Sales guy also has to have his laptop encrypted and a password protected screensaver. He can, if he wants to, drive into work and download the information over the network but work is far from his house and his customers.

Man, productivity has gone to hell. He now has to dial in every day for a few minutes where in the past he didn't. He has to type in passwords every time he needs to use his PC. What a shlep.

But... if you think about the savings in terms of productivity compared to driving to work and getting the information, printing it out and then filing it away at the end of the day (another trip) - the complete system is amazing. It is saving the sales rep from making two trips a day into the office. All that needs to happen now is that it needs to be made secure and a few extra seconds each time information is needed and a few minutes at the beginning and end of each day to sync information is a pleasure compared to driving to work in rush hour traffic for no reason.

This is a copy of a comment I posted on Rich Mogul's website. I thought that my answer clearly shows my present way of thinking about Information Security and the value thereof. I have edited my answer for this Blog Post but the essence is the same.

Rich was answering a question of Scott who assumed that as productivity goes up security goes down and vice versa and at some point there must be a sweet spot where you get the most productivity at the least cost to security. Scott uses the word "obviously"

Your (Rich and Scott) assumption is that all security controls actually decrease productivity. This may be the case in an example where passwords are used versus not used. But information security may actually increase productivity eg where spam is blocked and the user does not need to spend hours sorting email. Alternatively if browsing is restricted and time-wasting sites like facebook are blocked then productivity goes up.

My big security theory (which I wish I could put into practice) is that once companies achieve a security zen state (sorry if that is copyright) when security becomes part of the culture and is built into all systems then it actually increases productivity in a way that could actually help the bottom line.

In response to the original poster - if Information Security is at odds with the processes of the business then either the process is wrong or the information security is wrong.

If you tack on security after the fact your thinking will always be wrong.

Example:
A sales-rep is always on the road. Because he lives in the North part of town that is where his customers are. He has a list of customers and their details in his laptop. He also has their buying trends and banking details so he can confirm payment. The ISO sees all of this and almost has a heart attack. He implements a rule that the sales person can download only the clients that he is going to see that day onto his laptop and it must be done over a VPN. Sales guy also has to have his laptop encrypted and a password protected screensaver. He can, if he wants to, drive into work and download the information over the network but work is far from his house and his customers.

Man, productivity has gone to hell. He now has to dial in every day for a few minutes where in the past he didn't. He has to type in passwords every time he needs to use his PC. What a shlep.

But... if you think about the savings in terms of productivity compared to driving to work and getting the information, printing it out and then filing it away at the end of the day (another trip) - the complete system is amazing. It is saving the sales rep from making two trips a day into the office. All that needs to happen now is that it needs to be made secure and a few extra seconds each time information is needed and a few minutes at the beginning and end of each day to sync information is a pleasure compared to driving to work in rush hour traffic for no reason.